Take the ISO 27001 course exam and get the
EU GDPR course exam for free
LIMITED-TIME OFFER – ENDS SEPTEMBER 29, 2022

Expert Advice Community

Guest

Auditing suppliers - ISO 27001/Data Protection

  Quote
Guest
Guest user Created:   Aug 13, 2022 Last commented:   Aug 23, 2022

Auditing suppliers - ISO 27001/Data Protection

We are using Conformio and also have your Data Protection kit. One thing common to both is the need to audit suppliers. Our supply contracts will not justify in person audits or even lengthy on line audits. I have your internal audit booklet, have been through your internal audit course a coupe of times and carried out an internal audit for our company. However, our supply contracts will not justify in person audits or even lengthy on line audits (like our internal audit).

Do you have any guidance/resource for carrying out a “lighter” audit e.g. checklists/questionnaires/guidance on what to look for? I can construct something but wondered if you had anything.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 13, 2022

If you want to create a short checklist for a second-party audit (supplier audit), the best would be to read the security clauses from the agreement with this supplier, and list each security requirement as an item in your checklist. 

For a guide on how to perform a remote audit, watch the recording of this webinar: How to Perform a Remote Audit https://training.advisera.com/how-to-perform-remote-audit/ 

Quote
0 0
Albert Koubov Gonzalez Aug 23, 2022

Hello.

One "lighter" audit you can perform is to check if the supplier is ISO27001-certified, if they have a SOC2 audit report to read through and penetration test reports as a way of evaluating their security posture and to see if they fulfill your security requirements. In SOC2 audit reports usually list any deficiencies identified, the fact that the supplier is ISO27001-certified means that they have passed both an internal audit and external audit, with no Major Non-Conformity which is a good sign in itself, penetration test reports can show what sort of vulnerabilities were identified and you can ask the supplier how and when they addressed these vulnerabilities.

This "lighter" audit is a valid option especially in the case when you have signed standard agreements with SaaS-based or cloud providers that don't give you the option of signing a tailored agreement with your specific security clauses and so restrict you from performing onsite or remote audits.

If they don't have anything, then unfortunately, the only thing you can resort to are Information Security Questionnaires that they need to fill out and read their replies. Since anything written can potentially be a lie unless you verify it, you can also request samples of evidence for any claims they have in terms of control and evaluate this.

If they don't even provide that, then maybe you should flag this supplier as risky and bring it up to management whether arrangements and plan to replace the supplier with another supplier should be considered.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 13, 2022

Aug 23, 2022

Suggested Topics